Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit and Trojans Please help


  • This topic is locked This topic is locked
3 replies to this topic

#1 warren-out

warren-out

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 12 February 2009 - 11:43 AM

Hello I seem to have caught some kind of nasty virus. My computer started acting a little strange last Thursday (I could not use Nero for buring CDR's but could burn multiple DVDs from ConvertXtoDVD) stupidly I downloaded a torrent version of Alcohol 120 to see if it was the proram or burner. I then started getting web page pop-ups about virus removal tools. AVG free edition was not catching anything so I tried System Restore, so I would have some protection I used the trial version of Norton (I've included a Norton Quarantine and Restore Report below the HJT report for info sake) I then ran a full scan with Norton which seemed to make matters much worse and bringing me to this point. I have no CD reading abilities, no internet, I can copy but not paste (paste greyed out) and System Restore says 'system restore can't protect your sytem Please reboot . I've been using a photo card and/or putting them into zip files to get rescue programs onto the damaged computer. I have a ComboFix log if needed .Please help and thanks in advance.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:03 AM, on 12/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DISC\DiscGui.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
J:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://shop.ebay.com/merchant/bumblybeenme...3911Q2ec0Q2em14
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-4194603867-2091868012-2902052522-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4194603867-2091868012-2902052522-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - (no file)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Secondary Logon (seclogon) - Unknown owner - (no file)
O23 - Service: System Event Notification (SENS) - Unknown owner - (no file)
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - (no file)
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: UPS - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Conexant Systems, Inc. - (no file)
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - (no file)
O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner - (no file)

--
End of file - 7098 bytes




......................................................................................................................................................................................



Norton Quarantine and Restore Report
Created: February 10, 2009 6:52:31 PM
------------------------------------------------------------------------------

File Name
Location
Status Size Risk Name
User Name Machine Name Domain
Date Quarantined
Submitted to Symantec

------------------------------------------------------------------------------

svchost.exe
c:\windows\system32
Quarantined 30.5 KB W32.Virut.CF
Compaq_Administrator YOUR-4DACD0EA75 YOUR-4DACD0EA75
February 9, 2009 10:40:19 PM
Not submitted

------------------------------------------------------------------------------

VRT2.tmp
C:\WINDOWS\TEMP
Backup of an infected file 11.5 KB Downloader
SYSTEM YOUR-4DACD0EA75 WORKGROUP
February 9, 2009 12:50:08 PM
Not submitted

------------------------------------------------------------------------------

VRT2.tmp
C:\WINDOWS\TEMP
Backup of an infected file 11.5 KB Downloader
Downloader YOUR-4DACD0EA75 YOUR-4DACD0EA75
February 8, 2009 11:02:40 PM
Not submitted

------------------------------------------------------------------------------

SVCHOST.EXE
C:\PROGRAM FILES\MICROSOFT COMMON
Backup of an infected file 45.0 KB Trojan.Dropper
SYSTEM YOUR-4DACD0EA75 WORKGROUP
February 9, 2009 11:10:07 AM
Not submitted

------------------------------------------------------------------------------

protect.sys
C:\WINDOWS\System32\drivers
Backup of an infected file 18.5 KB Hacktool.Rootkit
SYSTEM YOUR-4DACD0EA75 WORKGROUP
February 9, 2009 12:35:51 PM
Not submitted

------------------------------------------------------------------------------

WINLOGNN.EXE
C:\DOCUME~1\COMPAQ~1\LOCALS~1\TEMP
Backup of an infected file 14.6 KB Downloader.MisleadApp
SYSTEM YOUR-4DACD0EA75 WORKGROUP
February 9, 2009 11:10:39 AM
Not submitted

------------------------------------------------------------------------------

protect.sys
C:\WINDOWS\system32\drivers
Backup of an infected file 18.5 KB Hacktool.Rootkit
SYSTEM YOUR-4DACD0EA75 WORKGROUP
February 8, 2009 10:48:37 PM
Not submitted

------------------------------------------------------------------------------

agentsvr.exe
c:\windows\msagent
Quarantined 267 KB W32.Virut.CF
Compaq_Administrator YOUR-4DACD0EA75 YOUR-4DACD0EA75
February 9, 2009 8:05:54 PM
Not submitted

------------------------------------------------------------------------------

protect.sys
c:\windows\system32\drivers
Backup of an infected file 18.5 KB Hacktool.Rootkit
SYSTEM YOUR-4DACD0EA75 WORKGROUP
February 8, 2009 10:36:11 PM
Not submitted

------------------------------------------------------------------------------

VRT2.tmp
C:\WINDOWS\TEMP
Backup of an infected file 11.5 KB Downloader
SYSTEM YOUR-4DACD0EA75 WORKGROUP
February 9, 2009 3:02:30 PM
Not submitted

------------------------------------------------------------------------------

VRT20C.tmp
C:\WINDOWS\TEMP
Backup of an infected file 11.5 KB Downloader
SYSTEM YOUR-4DACD0EA75 WORKGROUP
February 9, 2009 9:58:41 AM
Not submitted

------------------------------------------------------------------------------

xliqkgvj.exe
c:\windows
Backup of an infected file 3.51 KB Downloader
SYSTEM YOUR-4DACD0EA75 WORKGROUP
February 8, 2009 10:36:11 PM
Not submitted

------------------------------------------------------------------------------

VRT2.tmp
C:\WINDOWS\TEMP
Backup of an infected file 11.5 KB Downloader
SYSTEM YOUR-4DACD0EA75 WORKGROUP
February 9, 2009 7:18:57 AM
Not submitted

------------------------------------------------------------------------------

VRT2.tmp
C:\WINDOWS\TEMP
Backup of an infected file 11.5 KB Downloader
SYSTEM YOUR-4DACD0EA75 WORKGROUP
February 9, 2009 10:28:25 AM
Not submitted

------------------------------------------------------------------------------

GCC.EXE
C:\WINDOWS\SYSTEM32
Backup of an infected file 63.0 KB W32.Mytob@mm
SYSTEM YOUR-4DACD0EA75 WORKGROUP
February 9, 2009 7:39:04 AM
Not submitted

------------------------------------------------------------------------------

WINLOGNN.EXE
C:\WINDOWS\TEMP
Backup of an infected file 14.6 KB Downloader
SYSTEM YOUR-4DACD0EA75 WORKGROUP
February 9, 2009 11:10:38 AM
Not submitted

------------------------------------------------------------------------------

VRT2.tmp
C:\WINDOWS\TEMP
Backup of an infected file 11.5 KB Downloader
SYSTEM YOUR-4DACD0EA75 WORKGROUP
February 8, 2009 10:48:48 PM
Not submitted

------------------------------------------------------------------------------

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 PM

Posted 23 February 2009 - 04:17 PM

Hello.

Yes you indeed have a rootkit. More specfically a virut infection and backdoors.. :thumbup2:

Posted ImageVirut File Infector Warning
Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.


Tell me what you wish to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 PM

Posted 26 February 2009 - 04:38 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 PM

Posted 28 February 2009 - 07:56 AM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users